036.md

Shambolic Opaque Swift

Medium

An admin misconfiguration will cause a DoS for all market users

Summary

The lack of validation in setProtocolFeeAddress will cause a complete denial-of-service (DoS) for all market participants as an admin can set protocolFeeAddress to a non-payable contract, making fee transfers revert and halting core functionalities.

Root Cause

In ReputationMarket.sol#L1093 the function applyFees immediately sends ETH to protocolFeeAddress. However, in setProtocolFeeAddress, there is no validation to ensure the new address can receive ETH. This omission allows admins to accidentally configure a non-payable address, causing all subsequent fee transfers to fail.

Internal Pre-conditions

1. Admin calls setProtocolFeeAddress with a contract address that cannot receive ETH (e.g., no payable fallback).
2. The protocol sets protocolFeeAddress to this invalid address without any checks.

External Pre-conditions

No response

Attack Path

1. The admin sets protocolFeeAddress to a non-payable contract via setProtocolFeeAddress.
2. A user calls buyVotes or sellVotes, triggering the applyFees function.
3. applyFees attempts to send ETH to the invalid protocolFeeAddress, reverting the transaction.
4. All subsequent fee-based operations fail, causing a complete DoS.

Impact

The entire protocol is effectively shut down for fee-based operations because transactions will revert when sending ETH to the invalid address. Users cannot buy or sell votes, and the market is unusable until the admin corrects the address.

PoC

No response

Mitigation

1. Validate the address: Ensure protocolFeeAddress is capable of receiving ETH. One approach is to test-send a minimal amount of ETH before finalizing the change.
2. Batch Fee Collection: Accumulate fees in the contract, then allow periodic manual withdrawal by the admin. Even if the withdrawal address fails, it won’t break user-facing functionality.